Re: [dmarc-ietf] Signaling forwarders, not just MLMs

Barry Leiba <barryleiba@computer.org> Thu, 13 April 2023 16:44 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF06C14CE38 for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDJVt2X_FW_v for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:44:03 -0700 (PDT)
Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2263DC152A14 for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:44:03 -0700 (PDT)
Received: by mail-ej1-f48.google.com with SMTP id qb20so38556367ejc.6 for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:44:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681404241; x=1683996241; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NasnAMTwAGIwU5UWl0ENGoUHxzY+2JuIHpqG92hblqE=; b=jyrD7mCl6IDgblpL8b7xRRPPGV6l6YlvShyfGaaJzkmOvlBe/gdDMuvnD1hNgNW8Vz lZUF4KxpkAlRbaOTAeMm8gP1nqxg3nuaUNhwelokzwDirZ/sbfDKiIX7axYANX9UHAC0 haVj/xGjdRRMeUBfre1qWpZsruDrecmLm5ijj2EnYtbXqfOafOJ7bxfZJSxsxI1tBu0r 4NT/ctbDSMABv0LUC+Z/TVQFEuMrsxxFBKRnwMQrNhuIOhUme+EAfyPrQvgdKaMRwQLD KYJapYCROZfDAYp2XwoD2m8RvKTFetVHd/Kz9mpO6qTNlDlCT/xIYPgLabrRcIYwuz5m mAfw==
X-Gm-Message-State: AAQBX9dhSr7bGoZJ9+qeOQe4cL9+Bf9eBON+pITGKx1fwgpeeVDT6XIM FpiqJge3Tx4hnt+RM8ldnrr1EwP4VKWeu19ZsKQ=
X-Google-Smtp-Source: AKy350ZDpz4xxs701hk/qEAOcQs1MY1qXK/5ROP3JU+kfteD0JppTpvqKRjhPADE67TreCHpbz6PdGI87oaGOzUeM74=
X-Received: by 2002:a17:906:3286:b0:932:e546:b8bb with SMTP id 6-20020a170906328600b00932e546b8bbmr1622297ejw.0.1681404241196; Thu, 13 Apr 2023 09:44:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwYbbLLq-qLg_Wnp5aFw_2my4UTZz3U3LjwbCmpMNdudfA@mail.gmail.com> <20230413151342.B96D0BF17F1F@ary.qy> <CALaySJKM5Kct0u0ekuEBS=DVQTXG_CiewpzNwVyPiAaQ9zx3VA@mail.gmail.com> <CAHej_8nyYrCXPo8aYOb+cVSf=2NQDOBmUgo-FD=ohPBZ=yFuHw@mail.gmail.com> <CALaySJ+6JxGua90o8kgyoFH48swn6f0g8x+Jx4By4jQnC7ot8w@mail.gmail.com> <CAJ4XoYddHX20JOJfURAsVhpzi6HobX90qim=5Zw2jpbq5KsNJw@mail.gmail.com>
In-Reply-To: <CAJ4XoYddHX20JOJfURAsVhpzi6HobX90qim=5Zw2jpbq5KsNJw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Thu, 13 Apr 2023 12:43:49 -0400
Message-ID: <CALaySJJO=Cp4s+LY9R7dCbao5P9N82n_r1qG7v7iKYmRymSX0A@mail.gmail.com>
To: Dotzero <dotzero@gmail.com>
Cc: Todd Herr <todd.herr@valimail.com>, John Levine <johnl@taugh.com>, dmarc@ietf.org, superuser@gmail.com
Content-Type: multipart/alternative; boundary="00000000000085433f05f93a6e80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sufyL__MP31yRq8GUqmAOWOBiqY>
Subject: Re: [dmarc-ietf] Signaling forwarders, not just MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 16:44:07 -0000

We can say that as well, but I want to specifically say "don't use SPF
without DKIM and expect it to work right;"

b


On Thu, Apr 13, 2023 at 12:41 PM Dotzero <dotzero@gmail.com> wrote:

>
>
> On Thu, Apr 13, 2023 at 12:19 PM Barry Leiba <barryleiba@computer.org>
> wrote:
>
>> Maybe just add a sentence to the end of the second paragraph:
>>
>>    The use of SPF alone, without DKIM, is strongly NOT RECOMMENDED.
>>
>> Barry
>>
>
> I think the opposite. Something along the lines of "Sending domains SHOULD
> implement both SPF and DKIM to minimize breakage and non-delivery of mail.
>
> Michael Hammer
>
>
>>
>>
>> On Thu, Apr 13, 2023 at 12:04 PM Todd Herr <todd.herr@valimail.com>
>> wrote:
>>
>>> On Thu, Apr 13, 2023 at 11:21 AM Barry Leiba <barryleiba@computer.org>
>>> wrote:
>>>
>>>> > Anyone who does forwarding is damaged by DMARC because there are a
>>>> lot of
>>>> > people who do DMARC on the cheap with SPF only.
>>>>
>>>> This brings up another issue, I think: that there should also be
>>>> stronger advice that using DKIM is critical to DMARC reliability, and
>>>> using SPF only, without DKIM, is strongly NOT RECOMMENDED.
>>>>
>>>> I don't disagree.
>>>
>>> How do we make the following text stronger?
>>> 5.5.2.
>>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2>Configure
>>> Sending System for DKIM Signing Using an Aligned Domain
>>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#name-configure-sending-system-fo>
>>>
>>> While it is possible to secure a DMARC pass verdict based on only one of
>>> SPF or DKIM, it is commonly accepted best practice to ensure that both
>>> authentication mechanisms are in place to guard against failure of just one
>>> of them.
>>>
>>> This is particularly important because SPF will always fail in
>>> situations where mail is sent to a forwarding address offered by a
>>> professional society, school or other institution, where the address simply
>>> relays the message to the recipient's current "real" address. Many
>>> recipients use such addresses and with SPF alone and not DKIM, messages
>>> sent to such users will always produce DMARC fail.
>>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2-2>
>>>
>>> The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d=
>>> domain in the DKIM-Signature header) that aligns with the Author Domain.
>>>
>>>
>>> --
>>>
>>> *Todd Herr * | Technical Director, Standards and Ecosystem
>>> *e:* todd.herr@valimail.com
>>> *m:* 703.220.4153
>>>
>>> This email and all data transmitted with it contains confidential and/or
>>> proprietary information intended solely for the use of individual(s)
>>> authorized to receive it. If you are not an intended and authorized
>>> recipient you are hereby notified of any use, disclosure, copying or
>>> distribution of the information included in this transmission is prohibited
>>> and may be unlawful. Please immediately notify the sender by replying to
>>> this email and then delete it from your system.
>>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>